e54d75beb808253cbb5c06bbe37211b9a7467c39dac776ea72df26be3b30f5ea

Analysis

max time kernel
119s
max time network
121s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
10-01-2025 14:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e54d75beb808253cbb5c06bbe37211b9a7467c39dac776ea72df26be3b30f5ea.exe
Size

1011KB
MD5

cbe2a525a70f1ae12ed19db3d2ce8a9a
SHA1

c9ebbc22c4c793bd7ab2651b997aea1fb6651715
SHA256

e54d75beb808253cbb5c06bbe37211b9a7467c39dac776ea72df26be3b30f5ea
SHA512

2b77c70e595b2237409769d99b7c3448f70853780fd865d7eb721d421d9cabc007fdd7a2e0ee7b401fea5951230bee848bb33d2c2aa0ffaee84ef3cae8bc7fd1
SSDEEP

24576:e4Z8z1TQIYt/R6Zg2k85kP0vv4EvfiYPgPTatiI1LHx:e4SzmIoKNCPoZntPgPTatiIlx

Score

8^/10

discovery execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2752	powershell.exe
2684	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e54d75beb808253cbb5c06bbe37211b9a7467c39dac776ea72df26be3b30f5ea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2660	schtasks.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2380	e54d75beb808253cbb5c06bbe37211b9a7467c39dac776ea72df26be3b30f5ea.exe
2380	e54d75beb808253cbb5c06bbe37211b9a7467c39dac776ea72df26be3b30f5ea.exe
2380	e54d75beb808253cbb5c06bbe37211b9a7467c39dac776ea72df26be3b30f5ea.exe
2380	e54d75beb808253cbb5c06bbe37211b9a7467c39dac776ea72df26be3b30f5ea.exe
2380	e54d75beb808253cbb5c06bbe37211b9a7467c39dac776ea72df26be3b30f5ea.exe
2380	e54d75beb808253cbb5c06bbe37211b9a7467c39dac776ea72df26be3b30f5ea.exe
2380	e54d75beb808253cbb5c06bbe37211b9a7467c39dac776ea72df26be3b30f5ea.exe
2380	e54d75beb808253cbb5c06bbe37211b9a7467c39dac776ea72df26be3b30f5ea.exe
2380	e54d75beb808253cbb5c06bbe37211b9a7467c39dac776ea72df26be3b30f5ea.exe
2380	e54d75beb808253cbb5c06bbe37211b9a7467c39dac776ea72df26be3b30f5ea.exe
2380	e54d75beb808253cbb5c06bbe37211b9a7467c39dac776ea72df26be3b30f5ea.exe
2380	e54d75beb808253cbb5c06bbe37211b9a7467c39dac776ea72df26be3b30f5ea.exe
2752	powershell.exe
2684	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2380	e54d75beb808253cbb5c06bbe37211b9a7467c39dac776ea72df26be3b30f5ea.exe
Token: SeDebugPrivilege	2684	powershell.exe
Token: SeDebugPrivilege	2752	powershell.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 2380 wrote to memory of 2752	2380	e54d75beb808253cbb5c06bbe37211b9a7467c39dac776ea72df26be3b30f5ea.exe	30
PID 2380 wrote to memory of 2752	2380	e54d75beb808253cbb5c06bbe37211b9a7467c39dac776ea72df26be3b30f5ea.exe	30
PID 2380 wrote to memory of 2752	2380	e54d75beb808253cbb5c06bbe37211b9a7467c39dac776ea72df26be3b30f5ea.exe	30
PID 2380 wrote to memory of 2752	2380	e54d75beb808253cbb5c06bbe37211b9a7467c39dac776ea72df26be3b30f5ea.exe	30
PID 2380 wrote to memory of 2684	2380	e54d75beb808253cbb5c06bbe37211b9a7467c39dac776ea72df26be3b30f5ea.exe	32
PID 2380 wrote to memory of 2684	2380	e54d75beb808253cbb5c06bbe37211b9a7467c39dac776ea72df26be3b30f5ea.exe	32
PID 2380 wrote to memory of 2684	2380	e54d75beb808253cbb5c06bbe37211b9a7467c39dac776ea72df26be3b30f5ea.exe	32
PID 2380 wrote to memory of 2684	2380	e54d75beb808253cbb5c06bbe37211b9a7467c39dac776ea72df26be3b30f5ea.exe	32
PID 2380 wrote to memory of 2660	2380	e54d75beb808253cbb5c06bbe37211b9a7467c39dac776ea72df26be3b30f5ea.exe	34
PID 2380 wrote to memory of 2660	2380	e54d75beb808253cbb5c06bbe37211b9a7467c39dac776ea72df26be3b30f5ea.exe	34
PID 2380 wrote to memory of 2660	2380	e54d75beb808253cbb5c06bbe37211b9a7467c39dac776ea72df26be3b30f5ea.exe	34
PID 2380 wrote to memory of 2660	2380	e54d75beb808253cbb5c06bbe37211b9a7467c39dac776ea72df26be3b30f5ea.exe	34
PID 2380 wrote to memory of 976	2380	e54d75beb808253cbb5c06bbe37211b9a7467c39dac776ea72df26be3b30f5ea.exe	36
PID 2380 wrote to memory of 976	2380	e54d75beb808253cbb5c06bbe37211b9a7467c39dac776ea72df26be3b30f5ea.exe	36
PID 2380 wrote to memory of 976	2380	e54d75beb808253cbb5c06bbe37211b9a7467c39dac776ea72df26be3b30f5ea.exe	36
PID 2380 wrote to memory of 976	2380	e54d75beb808253cbb5c06bbe37211b9a7467c39dac776ea72df26be3b30f5ea.exe	36
PID 2380 wrote to memory of 2732	2380	e54d75beb808253cbb5c06bbe37211b9a7467c39dac776ea72df26be3b30f5ea.exe	37
PID 2380 wrote to memory of 2732	2380	e54d75beb808253cbb5c06bbe37211b9a7467c39dac776ea72df26be3b30f5ea.exe	37
PID 2380 wrote to memory of 2732	2380	e54d75beb808253cbb5c06bbe37211b9a7467c39dac776ea72df26be3b30f5ea.exe	37
PID 2380 wrote to memory of 2732	2380	e54d75beb808253cbb5c06bbe37211b9a7467c39dac776ea72df26be3b30f5ea.exe	37
PID 2380 wrote to memory of 268	2380	e54d75beb808253cbb5c06bbe37211b9a7467c39dac776ea72df26be3b30f5ea.exe	38
PID 2380 wrote to memory of 268	2380	e54d75beb808253cbb5c06bbe37211b9a7467c39dac776ea72df26be3b30f5ea.exe	38
PID 2380 wrote to memory of 268	2380	e54d75beb808253cbb5c06bbe37211b9a7467c39dac776ea72df26be3b30f5ea.exe	38
PID 2380 wrote to memory of 268	2380	e54d75beb808253cbb5c06bbe37211b9a7467c39dac776ea72df26be3b30f5ea.exe	38
PID 2380 wrote to memory of 2312	2380	e54d75beb808253cbb5c06bbe37211b9a7467c39dac776ea72df26be3b30f5ea.exe	39
PID 2380 wrote to memory of 2312	2380	e54d75beb808253cbb5c06bbe37211b9a7467c39dac776ea72df26be3b30f5ea.exe	39
PID 2380 wrote to memory of 2312	2380	e54d75beb808253cbb5c06bbe37211b9a7467c39dac776ea72df26be3b30f5ea.exe	39
PID 2380 wrote to memory of 2312	2380	e54d75beb808253cbb5c06bbe37211b9a7467c39dac776ea72df26be3b30f5ea.exe	39
PID 2380 wrote to memory of 1748	2380	e54d75beb808253cbb5c06bbe37211b9a7467c39dac776ea72df26be3b30f5ea.exe	40
PID 2380 wrote to memory of 1748	2380	e54d75beb808253cbb5c06bbe37211b9a7467c39dac776ea72df26be3b30f5ea.exe	40
PID 2380 wrote to memory of 1748	2380	e54d75beb808253cbb5c06bbe37211b9a7467c39dac776ea72df26be3b30f5ea.exe	40
PID 2380 wrote to memory of 1748	2380	e54d75beb808253cbb5c06bbe37211b9a7467c39dac776ea72df26be3b30f5ea.exe	40

C:\Users\Admin\AppData\Local\Temp\e54d75beb808253cbb5c06bbe37211b9a7467c39dac776ea72df26be3b30f5ea.exe
"C:\Users\Admin\AppData\Local\Temp\e54d75beb808253cbb5c06bbe37211b9a7467c39dac776ea72df26be3b30f5ea.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2380
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\e54d75beb808253cbb5c06bbe37211b9a7467c39dac776ea72df26be3b30f5ea.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2752
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\LwGrjoPJzyBSZs.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2684
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LwGrjoPJzyBSZs" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7752.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2660
- C:\Users\Admin\AppData\Local\Temp\e54d75beb808253cbb5c06bbe37211b9a7467c39dac776ea72df26be3b30f5ea.exe
  "C:\Users\Admin\AppData\Local\Temp\e54d75beb808253cbb5c06bbe37211b9a7467c39dac776ea72df26be3b30f5ea.exe"
  2⤵
  PID:976
- C:\Users\Admin\AppData\Local\Temp\e54d75beb808253cbb5c06bbe37211b9a7467c39dac776ea72df26be3b30f5ea.exe
  "C:\Users\Admin\AppData\Local\Temp\e54d75beb808253cbb5c06bbe37211b9a7467c39dac776ea72df26be3b30f5ea.exe"
  2⤵
  PID:2732
- C:\Users\Admin\AppData\Local\Temp\e54d75beb808253cbb5c06bbe37211b9a7467c39dac776ea72df26be3b30f5ea.exe
  "C:\Users\Admin\AppData\Local\Temp\e54d75beb808253cbb5c06bbe37211b9a7467c39dac776ea72df26be3b30f5ea.exe"
  2⤵
  PID:268
- C:\Users\Admin\AppData\Local\Temp\e54d75beb808253cbb5c06bbe37211b9a7467c39dac776ea72df26be3b30f5ea.exe
  "C:\Users\Admin\AppData\Local\Temp\e54d75beb808253cbb5c06bbe37211b9a7467c39dac776ea72df26be3b30f5ea.exe"
  2⤵
  PID:2312
- C:\Users\Admin\AppData\Local\Temp\e54d75beb808253cbb5c06bbe37211b9a7467c39dac776ea72df26be3b30f5ea.exe
  "C:\Users\Admin\AppData\Local\Temp\e54d75beb808253cbb5c06bbe37211b9a7467c39dac776ea72df26be3b30f5ea.exe"
  2⤵
  PID:1748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp7752.tmp

Filesize
1KB

MD5
13c43648a0ea0047a4696d5bdb33ea2f

SHA1
97da86a63c00a209f40c31b08fcb0b2cc79e0abf

SHA256
2ae34f45db731553a344dddfed6347b71811979aa2a0a6935f8fab8f5ba2a9e3

SHA512
08578a4c27469b698804eaba38f5e97985fa034a568d567f77e04525f7146ef8a4db76934de07c247ffa42f4103f4eed6711d0cfebc497ce05a81441e960404b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
a724cd45def83b21076216346ef95a5f

SHA1
b4709c454366ee439715bae49328cef37be05051

SHA256
1b87100dca40f4a861f5b0d1052569502bccd0b1a5b947bc80509a0b6c6d2aeb

SHA512
abba902f7488cda7b392110ffda4bf5d280ee0cbbef4ee39716f7444f862f08cd635d1d92f62ba1f6ad21ee4aaedd8a7ad905ce688bfd58ce30fd644ede5f1d8

Download Submit
memory/2380-0-0x000000007495E000-0x000000007495F000-memory.dmp

Filesize
4KB

Download
memory/2380-1-0x0000000000380000-0x0000000000482000-memory.dmp

Filesize
1.0MB

Download
memory/2380-2-0x0000000074950000-0x000000007503E000-memory.dmp

Filesize
6.9MB

Download
memory/2380-3-0x0000000000570000-0x0000000000588000-memory.dmp

Filesize
96KB

Download
memory/2380-4-0x000000007495E000-0x000000007495F000-memory.dmp

Filesize
4KB

Download
memory/2380-5-0x0000000074950000-0x000000007503E000-memory.dmp

Filesize
6.9MB

Download
memory/2380-6-0x0000000005190000-0x0000000005252000-memory.dmp

Filesize
776KB

Download
memory/2380-19-0x0000000074950000-0x000000007503E000-memory.dmp

Filesize
6.9MB

Download